In some countries, for example, the Federal Republic of Germany, for data retention, personal data or individual-related data are stored by or for all locations, without the data currently being required. The purpose of such data retention is an improved prevention and prosecution of criminal offences. For this, the data has to be stored over a certain period of time, so as to be available, for example, for purposes of criminal prosecution. Usually, the data retention is performed by the service provider or service company of a telecommunications service.
In order to ensure that the provider of a telecommunications service has no unauthorized access to the traffic data of its customers, in order to, for example, generate personality profiles, it is known to store the connection data in a secured environment and to encrypt it prior to storage. The secured environment is also referred to as sealed infrastructure. The secured environment or the sealed infrastructure prevents this data to be accessed by neither one of the provider of the infrastructure nor the telecommunications service provider offering the telecommunications service, or other third parties. Further, it is known to encrypt the telecommunications data or connection data by means of two different encryption keys, wherein either one of the two keys is deposited with a trustworthy authority, for example, a notary. Thereby, an unauthorized access to the connection or traffic data is prevented efficiently, because in any case, the key deposited with the trustworthy authority is necessary for the access.
In order to also prevent data exchanged between the subscribers of telecommunications service, for example, electronic messages or electronic documents, from unauthorized access of the telecommunications service provider or other third parties, it is known to encrypt the data received from a subscriber such that only those subscribers may access the data, for which this data is intended. Both, the encrypting as well as the decrypting keys may be stored in the secured environment mentioned above. Thereby, it is ensured that neither the telecommunications service provider nor other third parties neither have access to the traffic data nor to the user data. An unauthorized evaluation of, for example, the traffic data within the scope of a grid investigation, thereby, is efficiently prevented, as far as, for example, no judicial order exists, which permits the use of the key deposited with a trustworthy authority, for example, a notary.
This method known from prior art for securing traffic data and user data, however, has the disadvantage that, even if the subscribers of a telecommunications service exchange data via a safe, for example, encrypted communications connection, the telecommunications service provider on the basis of the data traffic, is able to deduce information on who communicates with whom. The communications service provider may obtain this information even if the communication between the subscribers and the telecommunications service has been carried out encrypted, because for this information on who communicates with whom, the content of the data exchanged between the subscribers is not required.
This problem, in particular, arises if a telecommunications service, after the receipt of a message, for example, an electronic document, from a subscriber, signalizes to the subscriber, for whom the message is intended, by means of a further message, the presence of a message intended for him. Since the data exchange between the subscribers and the telecommunications service itself always is “visible” for the telecommunications service provider, the telecommunications service provider may obtain from the fact that a message has been deposited by a subscriber for a certain subscriber, and the subscriber, to whom the message is intended has been signalized on the presence of the message, the information that the two subscribers communicate with each other, even if the data exchange itself is performed encrypted, and if the subscriber, for whom the message was intended, does not request the latter from the telecommunications service.
Since also the information, who communicates with whom is rated as telecommunications traffic data, which can be used for a grid investigation or for the generation of personality profiles, the methods for data retention known from prior art although meeting high security standards, are not sufficiently protected or secured, in order to efficiently prevent the possibility of an unauthorized evaluation of telecommunications traffic data.